Based on a 4 digit PIN there are 10,000 choices, yet from a sample of 3.4 million 4 digit passwords nearly 11% were the password 1234.

From a table of the top twenty passwords found:

A staggering 26.83% of all passwords could be guessed by attempting these 20 combinations!

(Statistically, with 10,000 possible combination, if passwords were uniformly randomly distributed, we would expect the these twenty passwords to account for just 0.2% of the total, not the 26.83% encountered)

Although the article refers to PIN numbers the data was obtained from user passwords:

Given that users have a free choice for their password, if users select a four digit password to their online account, it’s not a stretch to use this as a proxy for four digit PIN codes

Given human nature. I don't consider this an unreasonable assumption.

Personally I found the distribution of user choices fascinating given the available choice.

Last edited by m0wgli on Thu Sep 27, 2012 3:27 pm, edited 1 time in total.

Very interesting there is a really good talk about random numbers by Paco Hope. That I think relates to these types of topics. He basically explains how random functions are not really random and how things can be predicted. It is worth a look if you can find it online it should be on youtube when he gave it at bsidelondon last year.